Security researchers warn of worm blitzkriegs

cDc for Internet security plan

Security researchers are warning of the availability of more powerful virus writing techniques, which call for a more co-ordinated approach to combat next generation worms.

In a paper, How to 0wn the Internet in Your Spare Time, Stuart Staniford of Silicon Defense, Vern Paxson of the ICSI centre for internet research and Nicholas Weaver of University of California Berkeley, argue the ability of attackers to rapidly gain control of vast numbers of Internet hosts poses grave security risks. They suggest surreptitious worms, which spread more slowly but are much harder to detect, "could arguably subvert upwards of 10,000,000 Internet hosts".

On a different track they suggest worm writing techniques which could be used to create ultra-virulent worms capable of spreading so quickly that they outflank anti-virus defences. Among the techniques are hit list scanning (which creates a Warhol worm - capable of infecting numerous hosts in 15 minutes), permutation scanning (which enables self co-ordinating scanning), or flash worms (which use enormous hit lists).

Once worms have succeeded in compromising hosts they might be used in denial of service attacks, to steal sensitive information or even destabilise the Internet, according to the researchers.

The analysis is based in large part on a mathematical analysis of the spread of the Nimda and Code Red worms. The risk from the Code Red worm were greatly hyped at the time, but that's not to say that the warning of the researchers is wildly misplaced.

Every time a new virus is released it takes time to spot it, time for AV vendors to develop an antidote and time to distribute this antidote (virus signature definition file). At the industry's annual get together, Virus Bulletin, in Prague last year, concerns were expressed that this approach is in danger of becoming obsolete.

Improvements in the speed of antivirus analysis and management tools are continuing but can only go so far. Meanwhile virus writing s'kiddiots are taking full advantage of the Internet to spread their wares.

Staniford, Paxson and Weaver argue that the possible use of ultra-virulent worms calls for the cyber equivalent of the Centers for Disease Control and Prevention in the US, and they sketch out the role and functions of such an organisation.

The paper will form the basis of a more detailed presentation to be given at the Usenix Security Forum in August. ®